lunes, 7 de noviembre de 2016

MercatorNet: The overwhelming power of small things

MercatorNet: The overwhelming power of small things

The overwhelming power of small things

The overwhelming power of small things

Household devices connected to the internet are responsible for a gigantic attack on major websites
Karl D. Stephan | Nov 7 2016 | comment 

Late in October millions of internet users trying to access popular websites including Twitter, Netflix, the New York Times, and Wired suddenly saw them stop working.
The reason was that for a few hours, a massive distributed-denial-of-service (DDOS) attack hit a domain-name-server (DNS) company called Dyn, based in New Hampshire. As I mentioned in last week's blog, DNS companies provide a sort of phone-book service that turns URLs such as into machine-readable addresses that connect the person requesting a website to the server that hosts it.
They are a particularly vulnerable part of the Internet, because one DNS unit can handle requests for thousands of websites, so if you take that DNS machine down, you've automatically damaged all those websites as long as the DNS is out of service.
DDOS attacks are nothing new, but the October 21 attack was the largest yet to use primarily Internet-of-Things (IoT) devices in its "botnet" of infected devices. The Internet of Things is the proliferation of small sensors, monitors, and other devices less fancy than a standard computer that are connected to the internet for various purposes.
Here's where the zombie cameras come in. Say you buy an inexpensive security camera for your home and get it talking to your wireless connection.
If you're like millions of other buyers of such devices, you don't bother to change the default password or otherwise enhance the security features that would prevent unauthorized access to the device, like you might do if you bought a new laptop computer.
Security experts have known for some time about a new type of malware called Mirai that takes over poorly protected always-on IoT devices such as security cameras and video recorders. When the evil genius who sent out the Mirai malware sends a signal to the infected gizmos, they all start spouting requests to the targeted DNS server, which immediately gets buried in requests and can't respond to anybody. That is what a DDOS attack is.
As the victim learns the nature of the requests, programmers can mount a defense, but skillful attackers can foil these defenses too, for a time, anyway. The attackers went away after three attacks that day, each lasting a couple of hours, but by then the damage had been done. The attacks made significant dents in the revenue streams of a number of companies.
And perhaps most importantly, we learned from experience that the much-ballyhooed Internet of Things has a dark side. The question now is, what should we do about it?
Senator Mark Warner, a Democrat from Virginia, has reportedly sent letters to the FCC and other relevant Federal agencies asking that same question. According to a report on the website Computerworld, Warner has a background in the telecom industry and recognizes that government regulation may not be the best answer. For one thing, internet technology can change so fast that by the time a legislative or administrative process finally produces a regulation, it can be outmoded even before it's put into action.
Warner thinks that the IoT industries should develop some kind of seal of security approval or rating system that consumers could use to compare prospective IoT devices before they buy.
This may get somewhere, and then again it may not. The reason is that an IoT device that can be used in a DDOS attack but otherwise functions normally as far as the consumer is concerned, is a classic case of what economists call an "externality."
A more familiar type of externality is air-pollution abatement devices on cars: catalytic converters, the diesel exhaust fluid that US truck drivers now have to buy, and all that stuff. None of it makes your car run better; in fact, cars can get better mileage or performance if they don't have that anti-pollution stuff working, as Volkswagen knew when it purposely disabled the anti-pollution function on some of its diesel models and turned it on only to pass government inspections.
The pollution your car would cause without anti-pollution equipment is an externality. The additional pollution that your car causes is so small that you won't notice it. Only when you add up the contributions of the millions of cars in a city does it become a problem. But if you don't have anti-pollution stuff on your car, you're adding a tiny bit to the air pollution that everybody in your city has to breathe. It's that involuntary aspect, the fact that other people are put at a disadvantage because of your action (or inaction), that makes it an externality.
The vulnerability of IoT devices to being used in DDOS attacks is an externality of a similar kind. When you buy and install a security camera, or rent a video recorder from your cable company, and they don't have enough security software installed to prevent them from being used in a DDOS attack, you're raising the risk of such an attack for everybody on the internet. And they don't have a choice in the matter.
Historically, externality problems such as air and water pollution have been resolved only when the government gets involved at some level. When the externality problems are strictly local, sometimes local political pressures can resolve the issue, but the internet is by its nature a global thing, in the main, although for reasons that are not entirely clear, the October attacks affected mainly East Coast users.
So my guess is that to fix this issue, we are going to have to have national or international governmental cooperation to set some rules and fix minimum standards for IoT devices regarding this specific problem.
The solutions are not that hard technically: things like attaching a unique username and password to each IoT device and designing them to receive security updates. These measures are already in place for conventional computers, and as IoT devices get more sophisticated, the additional cost of these security measures will decline to the point that it will be a no-brainer, I hope.
But right now there are millions of the gizmos out there that are still vulnerable and it would be very hard to get rid of them by any means other than waiting for them to break or get replaced by new ones. So we have created a serious security problem that somebody, somewhere has figured out how to take advantage of.
Let's hope that the recent attack was the last big one of this kind. But right now that's all it is—just a hope.
Karl D. Stephan is a professor of electrical engineering at Texas State University in San Marcos, Texas. This article has been republished, with permission, from his blog, Engineering Ethics,which is a MercatorNet partner site. His ebook Ethical and Otherwise: Engineering In the Headlines is available in Kindle format and also in the iTunes store.


For most of us the reproductive technology of Brave New World is just entertaining science fiction. For Alana Newman, it is her life story. In today's lead article she describes what it feels like to be fatherless. It's a very powerful read:
When answering the oh-so-important-for-identity question, Where do I come from? Is that answer humiliating? Some of us come from slaves. Others come from criminals. And some of us come from—sperm donor beach bums. People behave better when they respect themselves. And it’s easier to do that when we can respect the people we come from.
PLEASE NOTE: A gremlin invaded our system at the last minute and made it impossible to upload images. The links below work, but the stories do not appear on the home page. We hope that this will be fixed ASAP. 

Michael Cook

The overwhelming power of small things
By Karl D. Stephan
Household devices connected to the internet are responsible for a gigantic attack on major websites
Read the full article
Powerful financial interests involved in UK pre-natal testing
By Peter Saunders
90% of Down syndrome babies are aborted. A new test will increase this.
Read the full article
The overlooked fatherless: one donor-conceived woman’s story
By Alana S. Newman
Children need to know and be known by their natural mother and father.
Read the full article
Conversations unplugged
By Juliana Weber
We have to learn again how to talk to one another, says Sherry Turkle.
Read the full article
Births outside marriage decline in U.S.
By Shannon Roberts
The trend is largely due to higher immigrant births.
Read the full article
Calling all electors: throw the election to the House, and you just might save our country
By Graham Walker
Pre-empting the perennial danger of demagogy.
Read the full article
By J. Budziszewski
What happens when a state tries to govern too many things.
Read the full article
The first statistics for Quebec’s euthanasia are available—and scary
By Paul Russell
There were nearly three times the number of expected deaths
Read the full article
Who is behind America’s After-School Satan clubs?
By Massimo Introvigne
The sinister initiative is a ploy to remove Christianity from schools.
Read the full article
More on China’s marriage problems
By Marcus Roberts
And the role of cultural norms in creating them.
Read the full article
Cutting out the middleman
By Ronnie Smith
Has Trump's campaign been nothing more than building an audience for 'Trump TV'?
Read the full article
Housework is the fountain of youth
By Joanna Roughton
A large Dutch study finds it can add years to your life.
Read the full article

MERCATORNET | New Media Foundation
Suite 12A, Level 2, 5 George Street, North Strathfied NSW 2137, Australia

Designed by elleston

New Media Foundation | Suite 12A, Level 2, 5 George St | North Strathfield NSW 2137 | AUSTRALIA | +61 2 8005 8605 

No hay comentarios:

Publicar un comentario